GovExec and Carahsoft co-hosted the annual GovForward FedRAMP Summit in Washington, D.C. to discuss the evolving threat landscape of federal cloud adoption. This event brings together government experts and industry innovators to examine the impact of threat-based cloud adoption, Federal policy changes and the power of knowledge sharing that drives technological advancements. Stay current with the latest developments in cloud computing and federal cybersecurity by accessing the on-demand sessions from this year’s conference. Discover how secure cloud computing solutions can shape the future of your agency or organization.
GovForward FedRAMP Headliner Summit
00:00
Steven Boberski from Genesys, want to thank again, thank Carahsoft for having said these great event, a little bit about Genesys right quick. We are a UCaaS FedRAMP, authorized UCaaS, cloud service provider, and, you know, top right quadrant Magic Quadrant. If you'd like to know more about us, please see us at the booth. But you're not here to talk about us. We're here to talk about state ramp and taxpayer and FedRAMP. And what does it mean, right, there's reciprocity. It implies a lot. What does reciprocity mean, we had a nice lunch to chat about this. There's one way reciprocity, two way reciprocity, AI, we Genesys participate in all three programs, state rep, text rep. And FedRAMP. There were different tracks to get from FedRAMP, to both. So it's really interesting conversation, you know, and the question is, what's the value? What, why would I want to participate in these programs? If I have got a federal authorization? Why do I need state rep, why the States needed? And why would they participate that's we're going to talk about I think it's a great panel, like you're spending more time talking about it, we're gonna get him up here. So if everybody could come up, please, for the panel, we have.
01:02
I'm assuming the names are gonna come up shortly. But
01:05
representation from Texas.
01:09
Well, I guess I'll just introduce the moderator, it might be better so. So Chris, from route 50.
01:14
Good afternoon, my name is Chris tail. I'm a reporter with route 50. Cover state and local government technology. Thank you all for being here. This is honestly one of my favorite venues in DC, mostly because you go up on the on the tower, and you get a great view of the skyline. So please all do that before five o'clock, when it closes,
01:33
we had to talk about state ramp, which is really important because state and local governments are really on the on the frontlines of cyber attacks, and they have to stay vigilant, and they have to keep the, you know, cloud providers safe. And this is a way of doing it. So today, we're going to discuss a few things, priorities for state ramp, the, you know, the evolution of the program, and the future, and how it plans to ramp up.
02:05
Thank you, thank you. So what we're going to do to start with is just work our way down the line. And we're going to have each of our panelists just say very quickly, who they are and what they do. I'm Nancy Rayna sec, I'm the Chief Information Security Officer for the State of Texas. We have graph and I'm the Executive Director of State ramp. Good afternoon, everybody. I'm Ted Cotterell. I'm Indiana state chief privacy officer and the general counsel for our data analytics team. And the secretary treasurer of state room.
02:34
Steven burski. From Genesis, my role is public sector, field CTO, and also business development sector. Great. And layer I'm gonna start with with you if that's all right, I'm just curious for you to kind of talk us through a little bit about what state rep is and your kind of aims, but also, you know, how it compares to FedRAMP. And I guess, maybe some lessons that you've learned from your colleagues in the in the federal department? Yeah, definitely. State ramp is a nonprofit, we were founded by a group of public and private sector leaders who came together to address a lot of what we've been talking about today, which is really supplier risk, and to say, how can we come together to create a shared risk authorized management program so that providers can benefit when they're serving states locals, k 12, higher ed, you name it and the public sector? How can providers benefit by verifying that security posture once in order to serve their many government customers? And then How can states and locals really benefit by being able to rely on that risk authorized management program, so they're not having to do their own assessment over and over again, but instead, can really shift to managing risk and the things that only they can do? So as a, how do we compare to veteran that's like one of the number one questions that we hear. And so since everyone here is familiar with FedRAMP, it's a great way to kind of baseline level set. And we were founded, really our steering committee came together in 2020. So we had the advantage of years of lessons from the federal government and FedRAMP. And really, were able to stand on those shoulders to say, hey, what has worked well, what could maybe work better? And as a nonprofit, we have the flexibility to say and how can we do it maybe a little differently to serve, where state's mobiles are and where the providers are, who are serving them and their needs. And so, similarly, state ramp and fed ramps, security requirements and security framework are both based on NIST 853. Both transitioning right now from red Ford Red Five, both require or have statuses that are called State ramp ready state ramp authorized. Sounds familiar, similar to FedRAMP ready and FedRAMP authorized. And so both of those processes to achieve state ramp ready or authorized or FedRAMP ready or authorized are similar in that they both require an independent audit by a third party assessing organization
05:00
And then that information is validated and verified by the PMO. Both have really strong foundations and continuous monitoring. And we all know that there's more we can do to be better. But that's where it starts to say, let's begin with that continuous monitoring, how we're different some of the key differences. We have a centralized program management office to our security team, rather than having each state or each agency or, or local, do that review of the security package and have responsibility for conman, our centralized security team does that. And so, state ramp, we've got lots of board, we have the board several committees, they set the standards. And then our security team is the one who's really making sure those standards are met, in order to achieve those authorizations. That is a key difference. We also we use the word government sponsor, I know that's a term that FedRAMP is moving away from but to be authorized at that highest level, we do have a government sponsor, but it means something different in state room. So that's a difference, I would point out because still, it's that PMO doing that centralized review. And then there's a government sponsor, whether it's the state or local, whomever that providers working with can come in and do that kind of secondary check, it makes sure helps keep us on track to make sure that the PMO is doing what our government members are expecting. And we have an approvals committee. So if you don't have this is really important. This came up a lot in our learnings, when we were forming is that, hey, you may have a product that you want to bring to market that you'd like to bring through the process, but you don't have a government customer? Or maybe you do, but they're not interested in being a sponsor. So how do we get that product through the process, we have an approvals committee, who is comprised of five government officials who serve collectively as that, as that approving body kind of that second check. The other ways that we're different, just real quickly, we also have another program that is different, that doesn't exist in the FedRAMP space, and it's called our progressing snapshot program. So what we found as we were launching state ramp and started working with our participating governments and started working with the provider community, is that there were a number of providers or products out there who just quite weren't ready for that audit, they weren't ready to go to a three PEO and have that audit. So what do we do in the interim, and we found we were starting to develop all these resources and education, what we realized needed to come first was what we call our security snapshot. And that takes the criteria based on those most critical controls of NIST, and really gives you like a mini audit, that produces a score. So you think like credit score, but it's it's a NIST security score, and tells you where your strengths where your gaps are, and then our PMO team can work with you monthly to improve that to figure out how to how to close those gaps most efficiently, and then update that score every quarter. And so that's been just a huge transformation this year. And then lastly, we're a nonprofit. So that's probably where I should have started in our differences. And so we like to say where government led and that the majority of our voting members on our board and committees come from government must represent government. But we've got private sector voices in there. And I think that's absolutely critical, because we've got to make sure this works for all all parties. And it's been really, really awesome journey. And a lot of fun this year, as we've been seeing it put more kind of to work. Great. Ted, this next one is actually going to be for yourself. Obviously, we have a ton of providers in the room with us today. I hope, what are some of the benefits for them for being, you know, for getting involved with with state ramp, especially if they, you know, serve the public sector? Yeah. Thanks, Chris.
09:02
I talk a lot with government folks about what the benefits today to them might be right. And as somebody in government, obviously familiar as we've gone through this process, in 2020, with the steering committee, and then in 2021, since launch, to really seeing governments realize those benefits for you all in the in the provider context. It really there. I think there are three things I'd like to highlight. Some of them build on really what Leah's already talked about. At its at its core, though, we want to enable you all to to bring innovation to government faster, right? Obviously, we're here in the lion's den. We're in Washington, DC. We're talking about FedRAMP most of the day, out there across the United States. They're all of these these these sleds, state, local government and educational institutions that need that rising tide. Right. So the three things that I think I'll hit on briefly are
10:00
State ramp Fast Track security snapshot which we talked about a little bit, and then this idea of verify once use many. So
10:09
first fast track, if you've already gone through it put in the effort to get your FedRAMP ready or authorized verification?
10:20
What if you could then take that, bring it to state ramp and open up your platform to all of these sled, these state, local government and then education providers all across the country. Without an additional audit, you go through and you hand that authorization, that verification to state ramp PMO. And I think the timeline is approximately four to six weeks. Yeah, no, absolutely. So if you're coming through with fast track for fast track, if you are going from FedRAMP ready to state ramp ready, it's about four to six weeks, if you're coming from state rent or February authorized to state ramp authorized, that's probably going to be two to three months because of that if you're leveraging the approvals committee, and it's really all our team works in sprint, so it's all about what sprint did you get in the actual to give you that range.
11:12
Well, the next one that I had hit on is this idea of verify once he has many. So this is a core component of I think the state ramp value add, where you come in, you get this trusted credential from state ramp that you've earned through this audit, and then you're going to be able to recycle that again. I know you're really familiar with the federal government context, that there are 50 states out there, there are territories, local governments in Indiana, we have something like 3000 units of local government.
11:43
Just in Indiana,
11:46
there is a there's a vast pool of need out there for all of your services. And if we can help again, I keep saying this, facilitate that rising tide, the idea that you can verify once recycled over and over. And we all start to then speak that common language across cyber with local government, particularly that is so needed. So fast track, verify once use many and last is snapshot. So Lea talked about this a little bit. But it's the idea that if you come to me as a government person, maybe there's a competitive bid, that's a little lower level, maybe it's not an RFP or something.
12:25
But I'm going to see a series of, of bid packages from vendors. If yours is the one that has that point in time snapshot as to where your cyber posture is today.
12:36
There are other factors, but you you probably just went to the top of my list. So snapshot is going to give government that early stage confidence in your offering to sort of give you an edge. So those are, I think a few things that I highlight first. Right, thank you.
12:55
And then deep in the heart of Texas, Nancy, we have tax ramp a whole thing unto itself. Can you just kind of explain how that program has developed? And what's kind of gone into that whole process? Okay, so I'm just gonna start with a couple of security incidents that we had.
13:14
One of them was pretty significant, because it
13:19
it identifies undercover police officers and their home addresses. And so as you can understand, that probably isn't a good thing. And so we were talking to the owner of the company and said after this, after this incident, are you going to hire an information security officer, and the guy said, I'm not going to pay somebody six figures follow me around and tell me what to do. So
13:48
that was kind of the impetus for for the program. Our legislature passed a law, it was signed into law in June 2021. And we had five months to develop the program. And then another in another month, any contract for cloud services had to follow our program. And so if we had to really get started fast, and we borrowed or stole a lot from, from the other ramp organizations to stand it up. It's based on NIST 853. And essentially, we're not asking companies to do any more than we require of our state agencies. So that's that's how we developed it. It was done very quickly. And so it continues to evolve over time. We're getting ready to make a new evolution that I can't talk about until it's
14:44
October which hopefully will be final Of course.
14:50
We talked about making news.
14:52
Not going to but
14:55
but one of the things that that is really good about it is that in the
15:00
Law we can reciprocate with a FedRAMP with state ramp with other ramp programs. So
15:08
it's the certify wants us many. And we had really hoped that a lot of lot of our vendors would go with state ramp so that they could serve the folks in Texas. One of the big differences is my staff actually does the certifications.
15:29
So they, you know, you, you provide your artifacts to us, and we do the certification. So it takes a lot of time on our on our behalf, that it doesn't cost any money. So
15:42
great.
15:44
Well, we have a few minutes left. And so I have a few general questions for each of you. And layer I'm going to come back to you to start with and then we're going to kind of work our way around.
15:53
One of the big focuses is kind of improving communication between government vendors, getting everyone to play nicely. How's that going? Are we are we getting there? Do you still feel like, you know, play school teacher trying to get everyone to behave themselves? What are we talking about? You know, what was really fun this year is we started what I would call kind of version two or the next generation, it's like if you've ever been a part of a first generation Hoa, right? And then you have new HOA members, come on, I was deputy mayor of the city, I felt like I was the head of one big HOA for a long time. And so this has really resonated with me. But
16:34
yeah, and then you bring new members on, they're like, why is that paint color, okay, or not approved, you have to kind of begin with the why? Well, this year where we launched in January of 2021, and our committee terms and word terms, and all that are two years. And so January of 2023, we brought on some new members, we saw some transition, we were in that second generation of committee members, and we were meeting with our standards and technical committee, and our appeals committee. It was a joint work session, and someone said, Hey, why are we doing NIST? 853? And it was like, oh, gosh, we haven't had that conversation in a few years. Right? Like, why wouldn't you? But but it was such an awesome moment to watch the committee members who represent public sector and private sector, have that conversation and come to the same conclusion that we had a couple of years ago, but to watch that conversation, and to see the next generation of committee members really owning the vision and owning the standards. And so I see it getting stronger. We had our first in person event, we had a state room symposium in May, we had awesome attendance and and just a lot of great collaboration that happens. And that's really what's the joy for me, and being a part of state ramp has been able to bring everyone together to say, let's hear all the voices, let's find where there's commonality there. Let's find where we can have that shared vision or understanding of standards. And we were talking earlier, I guess, if we can get 80 or 90%. There, man, that view is so good still, right. And if there's a little delta from state to state, those are pains that we can work through,
18:14
rather than having to climb that mountain, one at a time. And so I think it's it's going really well, it was evidenced by I think the committee work this year that has been done that I know we're going to talk a little bit about what's next. So I'll, I'll hold it until then. Yeah. Ted, I'm curious if you have anything else to add about, you know, communication lines of communication with providers. And I think, from my perspective, it's more between it and, and procurement shops, it that are that are driving the procurement of a lot of these these things to enable business users within state government to get things done. And then procurement houses that they've got a process and you go through it, and it's going to take as long as it's going to take right.
18:57
That's a continued focus for us. So as we inject a
19:03
framework into that, that is different for the procurement folks. But the it it is within government sees it as beneficial.
19:11
We start to turn that ship slowly. One recognition of that early on is the Center for Digital Government revised its cloud procurement guide. So as governments are entering the cloud, it gives them a set of best practices to follow but to the point here, includes Model T's and C's. So for a smaller unit of government that doesn't know how to get started in the cloud. Just having contract boilerplate to use as a starting point for those negotiations is really beneficial. The new version includes reference to both state ramp and FedRAMP, which I think is a recognition of the value. So we're, you know, we'll get there. Yeah. Oh, that's great to hear. All right. We have I have one final question for each of you, Nancy, I'm going to come to you first.
19:57
What's next? What are your priorities for the next time
20:00
I don't know, 12 months what's what's on what's on the horizon? You know, if that's not too personal a question. In terms of text ramp, again, we're trying to make the process more efficient. And we're doing that through some changes that we're making. So that it's not as big of a burden on the vendors is, is you might think it is. So
20:24
that's
20:27
I think it's our seniors task force. So LEA has talked a lot about
20:33
Red Five, we started with red four, we're we're moving to Red Five.
20:39
We've got a lot of units of government, with state, local, and then these education players
20:46
and sieges is a is an is a difficult outlier. I know in my shop, enterprise data in Indiana, it's 70 or 80, disparate systems connected to a single record linkage, a billion rows of data that we're trying to figure out where to maintain and how it can be used in different contexts. See just is always the one that we say yes, we can do that. But let's let's schedule five more meetings to talk about that. So state ramp is going to be working to sort of bridge that gap, make it easier for our members to become Cedrus compliant and share that with governments. Yeah, that's really excited that you've all hit on so much. This Aegis Task Force is something that we're beginning next month, and really looking forward to, if you have interest, if you're a member of state ramp, know that we're going to be coming out and asking for feedback sessions. So we'll have some with our participating governments as well as those with provider members. So look for that and participate, we want to hear what you see across the country. So we can try to drive toward that 80 or 90% commonality where we can. But that's going to be a fantastic effort. We also have a joint task force with NASA, the National Association of State Procurement. So we've got a joint procurement focused Task Force, where we're taking that Center for Digital Government guide. And then we've really been putting it to work to say, Okay, as you know, about half the states are have I'm gonna use adopted in quotation marks adopted state ramp in some way. So what we're seeing this year is a handful who are really putting it to work to implement it. And what does that look like? What does that mean? So we've got some sample standards, sample policies, sample T's and C's that we go a little bit deeper with, than the CDG guy did. And so we're going to be working with an ASBO Taskforce, our joint task force to work through those documents to really drive toward again, commonality. Because if we have standardization to some degree in InfoSec, wouldn't it be great to also have a standard approach and procurement across the states. And so that's a big initiative that will begin as well next month, working with an ASBO and any public procurement officials.
22:55
So many other things, just continuing to build out our resources on our website and drive toward more education. So we are always looking for information. We just had our first provider leadership council meeting, looking for input, as you have ideas, suggestions, you experience state ramp going through a process, we want to hear what worked well, what didn't. So I think what's been really cool we were talking about with Tex rampion state ramp, we launched, we learned, we've iterated and we'll keep doing that. And we do that based on the input that we hear from our members and stay very closely, you know, with what is happening in the state of Texas as well so that to the degree we can provide that certify once to us many whether it's in Texas or anywhere else. That's our goal. So really appreciate you having us here today. So you might say that you're ramping up, I'm wrapping. Good. On that note. We're out of time. Please join me in thanking our panelists.